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Case ID #: [ (Pending) 
Title: UNSUBS; 
aka HACKERS FOR GIRLIES; 
NEW YORK TIMES-VICTIM; 
CITA; 
OO: NY 
Synopsis: Request creation of sub file for subpoena returns. 
Details: Pursuant to a Federal Grand Jury Subpoena, a package of 


documents has been delivered to the New York office. It is 
requested that a sub-file be created for these documents. 
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hackin roup called HACKERS FOR GIRLIES (HFG) and 
HFG has claimed responsibility for recently hacking 
the New York Times, NASA, MOTOROLA, PENTHOUSE and RT66.com. 


[____]is described as paranoid. L____J]believes that 
he is being investigated by the FBI for the NY TIMES hack. 
has published articles on the internet er ways of 
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NAME: 
RACE: White 
SEX: Male 


To: ©. New York @ 
Re: 10/26/1998 


LEAD (s): 


Set Lead 1: 


ee 
Conduct surveillance_on to verify 

residence. Determine business location other than 

Mailbox Etc. location. Identify where back-up computer storage 

tapes or disk are stored after being taken from 


Identify residence(s) and other 
identifying information (i.e. vehicles, associates, daily 
schedule, etc). Provide photos if possible. 
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FROM THE EDITORS 


Learning from the Hackers 


ou’ve found a vulnerability in certain widely used e-mail programs 
that could let vandals wreck computers by remote control. An- 
nouncing your discovery will allow programmers to fix this prob- 
lem, but it will also tip off would-be saboteurs. To publish or not to publish? 

This past summer some experts faced that dilemma. They wisely chose 
to tell the world. Fixes were written and distributed quickly, and as & this 
writing, no one seems to have exploited the weakness. 

We faced a similar decision over Carolyn P. Meinel’s article on page 98, 
“How Hackers Break In ... and How They Are Caught.” Meinel de- 
scribes how a fictional hacker might penetrate a corporation’s computer 
system. Is publishing it irresponsible? 
Obviously, we think not. Improving the 
security of networked computers is cru- 
cial. We can best inform readers about 
how to defend themselves by explaining 
what attacks to expect. 

Serious hackers already know these se- 
crets. Anyone who wants to know how 
to crack a system can get all the advice 
he (or, rarely, she) needs on Web sites 
and bulletin boards. The software equiv- 
alents of crowbars and lockpicks are 
available on-line. Hackers don’t need to 
be programmers these days any more 
than burglars need to be architects. 

And cracking a system doesn’t take a 
criminal mastermind when the autho- 
rized users are locking the front door with masking tape and string. Every 
person on a network who chooses an obvious password or, worse, patch- 
es in an unguarded phone line is shaving years off the life of some poor 
system administrator. 


HIGH-TECH BURGLARS 
don’t need to be programmers. 


H is how mainstream hacking has become: thousands of hackers 
gather in Las Vegas every summer for a meeting called Def Con. (Re- 
ality check: subversive groups don’t hold annual conventions in Vegas.) 
Luckily, most hackers are more curious and adventurous than malicious 
and so are willing to share their knowledge of the Internet’s soft underbel- 
ly. Smart corporations, law enforcers and the military are listening. 

We all should be. Vulnerability to hacking is not a passing phase. No 
matter how strong the firewalls around systems, some people will always 
try to break in—and administrators will retaliate with stronger walls. 

Vigilance and prudence can keep malicious hacking in check. Reading 
our special report on computer security and the Internet is a good way to 
start. Then think about changing your passwords—but for heaven’s sake, 
stay away from birthdays, J.R.R. Tolkien characters and Star Trek references! 


foe: 


JOHN RENNIE, Editor in Chief 
editors@sciam.com 
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How Hackers Break In... 


Port scanners, core dumps and buffer overflows are 
but a few of the many weapons in every sophisticated 
hacker’s arsenal. Still; no hacker is invincible 


Editors’ note: This fictionalized account is a composite of many 
incidents that have occurred, at one time or another, somewhere 
in cyberspace. The names of people and other details have been 
changed, but the technologies and software do exist. Some of the 
events reported here are drawn from the firsthand experiences of 
the author, who is known both in the computer underground 
and among security experts for her hacking skills and for her 
countless battles against hackers. SCIENTIFIC AMERICAN thanks 
Rt66 Internet, an Internet service provider in Albuquerque, 
N.M., which tested much of the software and hardware de- 
scribed in this article to verify the technologies involved. 


COMPUTER BREAK-IN can occur in various ways 
because systems connected to the internet almost 
always have certain vulnerabilities. To protect their 
internal networks, companies install firewalls, pow- 
erful defensive software that blocks unauthorized 
intruders. Nevertheless, determined hackers can 
usually uncover ways of circumventing a firewall. 
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by Carolyn P. Meinel 


on to the Internet Relay Chat, the cyberspace equiva- 

lent of CB radio. After connecting to a channel devot- 
ed to the powerful Unix operating system, he watches as 
the on-line habitués meet to make contacts, build alliances 
and exchange knowledge. The scene is reminiscent of the 
cantina in Star Wars. 

Eager to interject himself into the conversation—and to 
impress others—Abednego waits for someone to ask a sim- 
ple-minded question so that he can incite a “flame war,” in 
which the participants begin hurling venomous insults at 


S itting at his home computer one night, Abednego logs 
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one another. Just then, someone with the handle “Dogber- 
ry” asks about writing a device drive- ‘or a home weather 
station. Abednego seizes his chance. “RTFM” is his re- 
sponse. It stands for “read the f——g manual.” 

Others begin launching nasty insults, but not at Dogberry. 
Apparently, the question was far more complex than Abed- 
nego had realized. Dogberry’s terse put-down—“Newbie!’”— 
fans the flames. Humiliated, Abednego vows revenge. 

Using the “finger” command on Internet Relay Chat, 
Abednego obtains the e-mail address “Dogberry@refrigerus. 
com.” Abednego figures that if Dogberry is such a Unix whiz, 
he might be manager of the computers at reftigerus.com. To 
confirm his hunch, Abednego uses “telnet” to connect to 
the mail server of that computer. He then issues the com- 
mand “expn root@refrigerus.com” and learns that Dogberry 
is indeed the head system administrator there. 

His interest sufficieritly piqued, Abednego runs Strobe, a 
program that attempts to connect with each of the thou- 
sands of virtual ports on refrigerus.com. The scanner will 
meticulously record responses from any daemons, which 
are automatic utility programs, such as those that handle e- 
mail. Abednego knows that each port might be an open 
door—or a door that he might be able to break down—if he 
can take advantage of some flaw in its daemon. 


TENET TIS ET 


ALLILLUSTRATIONS BY DUSAN PETRICIC 


| and How They Are Caught 


But Strobe hits a wall—Dogberry’s firewall, to be exact. 
That powerful defensive software intercepts each incoming 
packet of data, reads its TCP/IP (transmission control proto- 
col/Internet Protocol) header and determines with which 
port it seeks to connect. The firewall compares this request 
with its own strict rules of access. In this case, refrigerus. 
com has decreed that there should be only one response to 
Abednego’s scanner. 

From that instant on, a program on refrigerus.com sends 
a blitzkrieg of meaningless data, including random alpha- 
numeric characters, back to Abednego, overwhelming his 
home PC. Meanwhile another daemon sends e-mail to 
Abednego’s Internet service provider (ISP), complaining that 
someone is attempting to break into refrigerus.com. Within 
minutes, the ISP closes Abednego’s account for suspicion of 
computer crime. 

Although Abednego is caught off guard—many ISPs would 
not have taken such a strong measure so quickly—the set- 
back is minor. The closed account was only one of several 
he had created after breaking into that ISP. But the termina- 
tion of the account at that particular moment causés him to 
be dumped from Internet Relay Chat in the midst of the 
flames against him. To the others on-line, it looks as if Abed- 
nego has been unceremoniously booted or, worse, that he 
has fled for cover. 

Abednego burns for retaliation. His next step is to try a 
stealth port scanner. Such programs exploit the way in 
which IP transmissions work. When one computer wishes 
to talk to another, it must first tri ismit a short message 
packet containing a SYN (synchronize) flag. The header of 
the packet also contains other important information, such 
as the IP address of both the source and destination. In re- 
sponse, the recipient daemon sends bak a packet that con- 
tains an ACK (to acknowledge the received packet), a SYN 
and a sequence number that is used to coordinate the up- 
coming transmission. When the first computer gets the re- 
turn ACK/SYN, it issues an ACK of its own to confirm that 
all is ready, thus completing a three-way handshake. Then, 
and only then, can the sender computer begin transmitting 
its message using the sequence number provided. At the 
end of the communication, the sender transmits a packet 
with a FIN (finish) flag, and the receiver returns an ACK to 
signal that it is aware the transmission has ended. 

Abednego knows that a stealth port scanner can take ad- 
vantage of this process by sending just premature FIN pack- 
ets to each port on a computer. Typically if a port is open, 
the recipient daemon will not send any response. If a port is 
closed, however, the computer will return an RST (reset) 
packet. But because this computer does not truly recognize 
a connection until it has completed the opening three-way 
handshake, it does not record the transmission in its logs. 
Thus, a FIN scanner can probe a computer in relative secre- 
cy, without ever having opened any official connections. 
(Yet, as Abednego will soon learn, there is enough informa- 
tion in even one FIN packet to establish a sender's identity.) 

Abednego surfs the Internet to search for an advanced 
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INTERNET TRANSMISSIONS follow certain rigid protocols. Nor- 
mally, the sender first transmits an introductory message packet 
containing a SYN flag to synchronize the upcoming communica- 
tion (top). The receiver then returns an ACK, which acknowledges 
the request, and a SYN. After obtaining this information, the send- 
er transmits an ACK, which completes the necessary three-way 
handshake. Only then can the sender dispatch the message itself. 
When finished, he issues a FIN flag, and the receiver returns an 
ACK, which officially closes the correspondence. A hacker can cir- 
cumvent the process by sending just a premature FIN, from which 
the hapless receiver might return an RST, or reset, packet (bottom). 
The response—or lack of one—reveals certain information about 
the receiver, but because no three-way handshake was ever com- 
pleted, the transmission is not recorded in the receiver’s logs. The 
hacker can thus probe an unwitting computer in relative secrecy, 
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stealth port scanner and finds one at an underground Web 
site. The program, like most other hacker tools, is written in 
the C computer language. Abednego struggles to compile, 
or convert, the scanner from C into a form that can be exe- 
cuted on his home PC, which runs on Linux, one of the 
many variants of Unix. 

Abednego’s difficulty in converting the software is not un- 
usual because of the many peculiarities of the different fla- 
vors of Unix. And Abednego, like many hackers, did not for- 
mally study computer science. In fact, also like most hack- 
ers, Abednego never learned to program because he never 


had to: almost any software a computer criminal might ever . 


want is available on the Internet, already written.and free 
for the taking—as long as the hacker knows how to compile 
it (or has cohorts who do). . 

The young Dogberry had taken a different path. After be- 
friending a technician at a local ISP, he learned how to ad- 
minister,a network. Before long, Dogberry and the 'techni- 
cian were playing computer break-in and defense games. 
The payoff came when they used the results to help the ISP 
improve its security. With that success, Dogberry was hired 
by the ISP to work part-time while he pursued his computer 
science degrees. . 

Thus, when Abednego decided to take on Dogberry, he had 
already made his first mistake. Dogberry is a white-hat (or 
nonmalicious) hacker and a veteran of many cyberbattles. 


Casing the Joint 


s dawn breaks, Abednego has finally finished compiling 

the code and is ready to deploy it. Within minutes, the 

FIN scanner has given him a snapshot of the services that 

refrigerus.com offers to those coming only from an approved 

IP address. Two that draw his attention are a secure-shell 

daemon, which is a way to make encrypted Internet con- 
nections, and a Web server. 

Then Abednego’s heart skips a beat. An unusual port 
number, 31,659, has also turned up on his FIN scan. Could 
another intruder have preceded him and left a back door, a 
secret passage to enter the system undetected? 

The beeping of a pager jolts Dogberry out of a deep sleep. 
EtherPeek, a sniffer program installed on the refrigerus.com 
network, has detected the port scan. Dogberry rushes into 
the office to watch for more attacks from the console of his 
administrative computer. His best defensive programs run 
only from that machine and only for someone who is phys- 
ically there, so that they cannot be tampered with remotely 
by an attacker. 

Meanwhile, despite the powerful temptation of that 
31,659 daemon, Abednego leaves the chase for now. Some- 
thing—his hacker intuition—tells him that he should return 
on another night. So by the time Dogberry arrives at work, 
he sees no more activity. 

Curious about the unusual attack, though, Dogberry be- 
gins analyzing his computer logs and is able to retrieve the 
source address from the hacker’s FIN packets. With this in- 


’ formation, he sends an e-mail to Abednego’s ISP, advising 


the firm of the break-in attempt and asking for details about 
Abednego’s account. But the system administrator at the 
ISP rejects Dogberry’s request, citing a confidentiality poli- 
cy, because merely running a scanner breaks no law. 

Three evenings later Abednego resumes the hunt. But 
when his computer dials into his account, he finds out his 
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root: I4.yoNjA4coS.+:10386:: 


Shadow 
password diag:qiy2osTuLlgoU: 10386: 
. oyEZ1B271nSaM: 1038 


daemon: 
fi € | bin:arl.y7£eTc}xA:10386: 
uucp:shoqki.sKCm1s: 10386: 


nobody: vt233NHYYFD4:10386: 
vastro: wDUF2ZhmTtjaAo: 10386 
gitano: B6YO/a9yvUs3 £10390: 
f:simpson: ABDNGKOdwamlE; 710392 


password is no loriger good. Upset, he phones the ISP and 
learns that his account has been shut down because of the 
FIN scan. Yet this turn of events does little to discourage him. 
In fact, he is now even more determined. 

With his credit-card number and a telephone call to a dif- 
ferent ISP, he is back on-line within minutes. This time, 
though, Abednego is more cautious. Through this new 
account, he logs on to one of his hacked accounts at yet 
another ISP. Once there, he gives the simple command 
“whois refrigerus.com.” The response tells him the domain 
name belongs to Refrigerators R Us, a national retail chain. 

Next, Abednego tries to log on to refrigerus.com through 
the 31,659 port by issuing the command “telnet refrigerus. 
com. 31,659.” The response is, “You lamer! Did you really 
think this was a back door?!” Then the 31,659 daemon at- 
tempts to crash his PC by sending corrupt packets, while e- 
mailing the system administrator at Abednego’s hacked ISP 
that someone has attempted to commit a computer crime. 
Within minutes, Abednego’s connection dies. 

More determined, Abednego now tries to tiptoe around 
the firewall instead of forcing his way through it. Using yet 
another of his many hacked accounts, he begins by at- 
tempting to catalogue the computers that belong to refrig- 
erus.com. To obtain this information, he tries “nslookup,” 
which initiates a search throughout the Internet for master 
databases containing directories of IP addresses. 

But “nslookup” is unable to retrieve anything useful. 
Dogberry must have set up the refrigerus.com network so 
that all packets destined for any of its internal addresses are 
sent first to a name-server program, which then directs them 
to the appropriate computers within the network. This pro- 
cess hinders anyone on the outside from learning details 
about the computers inside the firewall. 

Abednego’s next attempt is through an IP address scan- 


“ner. First, he coriverts refrigerus.com to a numerical address, 


using “nslookup.” With that number as a starting place, he 
scans the IP addresses above and below it. He discovers 
some 50 Internet host computers. Although there is no 
guarantee that these belong to refrigerus.com, Abednego 


- knows it is a good bet they do. 


Next, he uses “whois” to ask whether any other domain 
names are registered to Refrigerators R Us. The response re- 
veals another: refrigeratorz.com, with an address that is nu- 
metrically distant from that of refrigerus.com. The IP address 
scanner soon reveals five additional Internet hosts on num- 
bers nearby refrigeratorz.com. 
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CORE DUMP can be used by hackers to obtain secret in- 
formation. When a program running on a computer fails, 
it sometimes causes the machine to dump, or flush, the 
contents of a part of its random-access memory (RAM). A 
hacker can force such an incident to occur so that he can 
then sift through the discarded data, which might con- 


tain important information, such as the passwords for 
specific accounts on the network system. 


HACKER LEXICON 


Abednego—A biblical Israelite held in Babylonian captivity who 
walked through a wall of fire and survived. 


ACK—See illustration on page 100. 


Back door—A secret way to enter a computer that bypasses nor- 
mal security procedures. 


Buffer overflow—See illustration on page 102. 
Core dump—See illustration on this page. - 


Daemon—An automatic utility program that runs in the back- 
ground of a computer. 


Dogberry—The constable in William Shakespeare’s Much Ado 
about Nothing. 


FiN—See illustration on page 100. 


Firewall—Defensive software that protects a computer system 
from unauthorized intruders. 


FTP—File transfer protocol, a common protocol and program 
used to transfer files over the Internet. 


iP—Internet Protocol, a low-level convention that allows com- 
puters to move packets of data across the Internet. 


internet Relay Chat—An on-line chat service. 
1SP—Internet service provider. 


Keystroke logger—A program that records everything a user 
types at a keyboard. 


Port—A connection, or channel, into a computer. 
RAM—Random-access memory. 
Root—tThe highest level of access to a Unix computer. 


Root kit—A program that hackers implant in a victim computer 
to hide their nefarious activities. 


RST—See illustration on page 100. 


Scanner—A program that attempts to learn about the weakness- 
es of a victim computer by repeatedly probing it with requests 
for information. 


Sequence number—A number used to coordinate an upcoming 
IP transmission. 


Shell—A software layer that provides the interface between a 
user and the operating system of a computer. 


Sniffer—A program that records computer and network activity. 
Spoof—See Iflustration on page 104. ° 
SYN—See illustration on page 100. 


TCP—Transmission control protocol, the set of communications 
conventions that enable the sending and receiving of data over 
the Internet. 


Telnet—A Unix command that enables a user to log on to a com- 
puter from a remote location. . 


Unix—A powerful operating system. 


War dialer—A program that will automatically dial a range of 
telephone numbers. ee 
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BUFFER OVERFLOW is an exploitable weakness of certain programs, 
for example, those written in the C computer language, running on 
an operating system such as Unix. To instigate a buffer overflow, the 
hacker might run a C application on the victim computer (a). The 
program begins to write data into a buffer, a temporary storage 
space in memory (b). The application wants to move data from loca- 
tion 1 into 2, then into 3 (¢). But the hacker forces the program to ac- 
cept excess data so that some of the information begins to leak from 


location 1 into 4 (d). The hacker 
can take advantage of the over- 
flow to insert his own code (e), 
which has been written to help 
him gain high-level privileges to 
the victim computer. 


Victim 
computer 


As a safety precaution, Abednego telnets from his current 

hacked account into another of his pirated accounts. He 
then telnets from that location to yet another account that 
he has hacked, remotely logging on to it in preparation to 
run more FIN port scans. The extra steps will force anyone 
in law enforcement to obtain search warrants for three 
companies, encumbering the process. 
- He also decides to hide on the third hacked computer un- 
der the protection of a root kit, a Trojan horse program that, 
despite its harmless appearance, will automatically delete 
any evidence of his actions from the logs used to detect ab- 
normal activities. The software also defeats other programs 
that seek to detect alterations to system files on that com- 
puter. A root kit will even prevent people from determining 
that he is logged on and running programs. 

From this safe perch, Abednego scans one after another of 
the Internet host computers at refrigerus.com and refrigera- 
torz.com. The FIN scanner slips straight through the fire- 
wall to every one of them. The activity, though, is detected 
by the EtherPeek sniffer, which again sets off Dogberry’s 
beeper. : 

A haggard Dogberry, after rushing to work, soon identifies 
the origin of the FIN scans and alerts the system administra- 
tor at Abednego’s third hacked account. But the root kit has 
done its job, hiding Abednego from mystified computer op- 
erators there. Abednego boldly continues, switching from 
the stealth scanner to Strobe in hopes of finding an IP ad- 
dress that the firewall does not protect. 

He succeeds only in having the refrigerus.com firewall 
unleash a flood of meaningless data. The sudden load finally 
convinces the system administrator at Abednego’s hacked 
account that there really must be an attacker at work. She 
takes the drastic step of cutting the entire system off from 
the Internet. As his connection fizzles, Abednego realizes 
there is no elegant way around the firewall. 


Finding a Workaholic 


or each of the several dozen Internet hosts at Refrigera- 
tors R Us, Abednego guesses that there are probably 
many other desktop computers sitting quietly in employ- 
ees’ cubicles and offices. What are the chances, he muses a 
few nights later, that somewhere among those hundreds of 
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users are workaholics who circumvent the company firewall 
by phoning into their computers from their homes to per- 
form late-night tasks? It’s simple, really, for someone to buy 
a modem, connect it to a computer at work and plug a 
phone line into it before leaving for the day. 

Knowing that almost every large corporation has at least 
one unauthorized modem on its network, Abednego sets up 
ShokDial, a war-dialer program that will call each of the ex- 
tensions to the phone system at Refrigerators R Us as well as 
other numbers within that exchange. At the headquarters 
building of the company, the night watchman hears the 
ringing of one office phone after another but thinks noth- 
ing of it. 

Then, at 2:57 A.M., the war dialer pulls up a modem, and 
Abednego is greeted with the log-on screen of a Silicon 
Graphics computer: “Refrigerators R Us Marketing Depart- 
ment. Irix 6.3.” Great, Abednego thinks, because Irix is a 
type of Unix, which means he has found a potent portal 
into Dogberry’s world. . 

Abednego’s next strategy is to try brute force, using a pro- 
gtam that will repeatedly dial the Irix box and guess pass- 
words for root, a top-level account (usually reserved for sys- 
tem administrators) from which he can run any command 
and access all information on that particular,computer. He 
is hoping that the owner of the Irix machine, like many 
harried workaholics, has negligently allowed remote access 
to a root account. 

The password guesser starts with common words and 
names and from there tries less obvious choices. The slow, 
painstaking process can take months, even years, as the 
program exhausts every word in an unabridged dictionary, 
all names in an encyclopedia and each entry from a local 
phone book. But Abednego gets lucky. Around 5 AM. he 
learns that the password is simply “nancy.” 

“Yes!” Abednego shouts as he logs on to a root shell, from 
which he can then issue other commands to run on that 
machine. Next, he secures his beachhead, using FTP (file 
transfer protocol) to plant a root kit and sniffer onto his lat- 
est victim. He sets the program to capture and record every- 
thing typed in at the console (a-process known as keystroke 
logging), as well as any log-on sessions from the network. 
The sniffer will hide this information in an innocuously ’ 

named file right there on the unwitting host. Within min- 
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utes, Abednego’s root kit has even set up an additional way 
to log on: user name “revenge,” password “DiEdOgB.” 

Abednego’s last deed that morning is simple. To find the 
Internet address of the hijacked box, he types the “who” 
command, and his computer shows user “revenge” logged 
on to picasso.refrigeratorz.com. Later that morning the right- 
ful owner of picasso logs on and sees no indication that 
someone has usurped contro! of her computer. Abednego’s 
root kit is doing its job. 

For Dogberry’s part, all that his log reveals is an early- 
morning attempt to enter refrigeratorz.com from the Inter- 
net. Remembering the recent FIN scans, Dogberry is trou- 
bled by this latest incident, but he has too little information 
to take action. ° 

Two nights later Abednego dials in and connects with pi- 
casso to view his logs. To his dismay, he sees that informa- 
tion on the internal network traffic has been encrypted. But 
the keystroke logger of his sniffer has recorded that some- 
one on picasso’had logged on to another computer named 
fantasia. Abednego now owns a user name and password 
for fantasia. Open sesame! 

Abednego discovers that the computer is a SPARC work- 
station used for rendering animated sequences, perhaps for 
television.ads. Because the box is probably a server used by 
many other computers, Abednego begins hunting for a pass- 
word file, hoping that some of the passwords he finds will 
also work on other machines inside the company network. 

He locates the file but discovers only “x” characters where 
the encrypted passwords should have been. Apparently, the 
information he seeks is hidden elsewhere in a shadowed 
file. Smiling to himself, Abednego runs the FTP program 
and tricks it into crashing. Bingo, core dump! 

Fantasia is forced to flush a part of its random-access 
memory (RAM). Fortunately for Abednego, the discarded 
information—a record of what was being held in that RAM 
sector at that moment—ends up in the user directory. 

The legitimate purpose of a core dump is to enable pro- 
grammers to perform an autopsy on.the digital remains in 
search of clues to a program’s failure. But, as Abednego well 
knows, a core dump has other uses. A shadowed password 
system sometimes places encrypted passwords in RAM. 
When a person logs on, the computer does a one-way en- 
cryption of the password the user attempts and compares 
that with the encrypted password from the shadowed file. If 
the two match, the person gets in. 

The shadowed password file that Abednego is able to re- 
trieve from the core dump on fantasia is encrypted, so he 
starts running his password cracker. The program could be 
busy for the next few days, maybe even weeks. 

Too impatient to wait, Abednego 
is already working on his next ma- 
neuver—exploiting a common vul- 
nerability of Unix. When a program 
running on that operating system 
pours excessive data into a buffer (a 
temporary storage space in memo- 
ry), the information will leak, infil- 
trating other areas of the comput- 
er’s memory. 

Abednego takes advantage of the 
buffer overflow by using it to insin- 
uate his own code into the SPARC. 
The added software helps him cre- 
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ate a root shell, from which he can then run other com- 
mands and programs. Pleased with his latest effort, Abed- 
nego next installs a root kit and sniffer, Because the kit will 
hide evidence of his activities only from the time when the 
program was activated, Abednego must mop up by deleting 
previous actions of his busy night. 

One task remains. Is there anyone who is allowed to log 
on to fantasia from the Internet? Abednego types the “last” 


. command to display records of connections people may 


have made to fantasia. He perks up as he sees that user 
names vangogh and nancy have recently entered fantasia 
from the Internet through the domain “adagency.com,” 
which lies outside the Refrigerators R Us firewall. 

Abednego can hardly fall asleep that morning. His adren- 
aline flowing, he buzzes with the knowledge that he will 
soon “own” Refrigerators R Us. 


Closing in for the Kill 


he next evening Abednego makes short work of breaking 

into adagency.com. At first he uses IP spoofing to trick 
that computer into recording a false IP address for his loca- 
tion. By probing adagency. 
com with SYN packets to elic- 
it ACK/SYN responses with an 
assortment of sequence num- 
bers, Abednego’s program is 
able to tease out a pattern 
from which he can then guess 
the next sequence numbers and use that knowledge to fake 
his origin. Abednego quickly installs a sniffer on adagency. 
com and uses a secure-shell program to create an encrypted 
connection for logging on to fantasia. 

From that computer, he types the “netstat” command to 
view tables of active connections within the network. He 
discovers a computer that he had missed in his earlier search. 
Its name, “admin.refrigerus.com,” is promising. Could that 
be from where Dogberry oversees the system? 

Meanwhile every time Abednego’s PC cracks yet another 
combination of user name and password, he tries it on vari- 
ous refrigerus.com computers. But none of them works any- 
where except on fantasia, which he already “owns.” 

Then Abednego hits the jackpot. Twice. 

On fantasia he captures keystrokes made by vangogh as 
that user updated the company’s Web server. Now Abed- 
nego has the password he needs to hack the Refrigerators R 
Us Web site. In addition, his sniffer on picasso reveals that 
someone, Nancy, has dialed into that computer and from 
there used a back door to log on to a root account, hidden 
by her root kit, at admin.refrigerus.com. 

He slips right behind Nancy into admin.refrigerus.com. 
Using the root account there, he tries logging on to one Re- 
frigerators R Us computer after another. Dogberry, however, 
has been exceedingly careful. On the Refrigerators R Us net- 
work, even root privileges do not allow someone to enter 
other computers without providing new passwords. 

Only briefly distracted, he turns his attention back to the 
Web server and logs on to it using his recently acquired pass- 
word, From his home PC, he then uploads a new version of 
the Refrigerators R Us home page that he had put together 
in anticipation of this day. 

Back at Refrigerators R Us, Dogberry is working late, por- 
ing over his logs. It seems the marketing people have been 
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IP SPOOFING enables a hacker to fake his identity. The hacker first 
probes his victim by sending multiple SYN packets [see illustration 
on page 100} to obtain ACK/SYN messages with sequence num- 
bers (left). From these responses, the hacker is able to uncover a 
pattern. In this example, he notices that the numbers increase by 


getting an unusual number of connections from adagency. 
com. Tomorrow he will ask those folks exactly what is going 
on. He will also call the system administrator at adagency. 
com, a colleague whom he once helped to install some new 
system software. 

Just as Dogberry is about to head home for the night, the 
phone in his office rings. An angry customer complains that 
Refrigerators R Us’s Web site features a pornographic movie 
with a refrigerator as a prop. After bringing up and viewing 
the defaced Web page, Dogberry moves quickly to sever the 


umbilical Ethernet cable that connects the company net- | 


work to the Internet. 

Abednego is enraged when his obscene masterpiece is tak- 
en down so quickly. But he is also worried that he has left 
too much evidence behind, so he returns using the dial-up 
line to picasso—an entryway that is still unknown to Dog- 
berry. He buys time by reformatting completely the ad- 
ministrative computer's hard disk, which shuts down the 
company network, temporarily thwarting Desens 's efforts 
to gather details of the attack. 

Dogberry rushes to the administrative computer with 
hopes to reboot it from the console, but he is too late. Dog- 
berry must now rebuild the software on that computer from 
scratch. (Unbeknownst to Abednego, though, the EtherPeek 
sniffer running on a nearby Macintosh has also been mak- 
ing logs.) 

Abednego, still peeved about the Web site, has one final 
act that night: he unleashes a flood of data packets against 
refrigerus.com. Soon Dogberry gets a frantic call from a com- 
pany salesperson who, using her laptop PC and a phone 
line in her hotel room, wants to retrieve her important e- 
mail but has been unable to connect to the mail server at 
Refrigerators R Us. 

The next morning an exhausted Dogberry begs the vice 
president of technology at Refrigerators R Us for an okay to 
wipe clean every computer in the network, reinstall every 
program and change all passwords. But the extensive— 
though prudent—measure would require shutting the sys- 
tem down for days, and the vice president denies the request. 


104 SCIENTIFIC AMERICAN October 1998 


al 


ao xe ‘| 


VICTIM. 


TRUSTED 
COMPUTER 


an increment of 128,000. Next, the hacker sends a SYN that im- 
personates another computer that the victim trusts. The victim 
then transmits an ACK/SYN to this authorized host (center). Al- 
though the hacker does not receive this particular response, he 
can nonetheless continue the correspondence as if he had: he is- 


At this point, Abednego’s malicious and destructive ex- 
ploits have gone well past the legal bounds for hacking. But 
the FBI, which is severely understaffed, has been busy inves- 
tigating some recent break-ins at several army and navy 
computer systems around the U.S. Dogberry will have to 
gather more evidence himself. 

Because the attacker remained on the system even after it 
had been physically disconnected from the Internet, Dog- 
berry suspects there must be a contraband modem some- 
where in the building. He runs his own war dialer and dis- 
covers the culprit. He will soon have words with the mar- 
keting department! 

Dogberry then reloads a clean version of his main admin- 
istrative computer. Next, on a Windows NT server that Dog- 
berry knows has not been tampered with, he deploys T- 
sight, an advanced antihacker program that can monitor 
every machine on the company network. 

Last, Dogberry sets his trap. T-sight will watch for the at- 
tacker’s next connection to admin.refrigerus.com and will 
redirect the intruder into a “jail” computer. Once there, the 
culprit can be monitored and traced. To keep the unsuspect- 
ing person distracted, Dogberry enlists a team of program- 
mers to make the jail look like an accounting system, com- 
plete with the tempting bait of fake financial data. 


Pride Goeth Before... 


ust two nights later Dogberry is standing watch at 8:17 
Ae when he discovers someone once again entering ad- 
min.refrigerus.com. It is Abednego. Why has he returned so 
soon? Abednego was exhilarated when he learned that his 
pornographic Web site had become the talk of the hacker 
underground. He had even rated a brief mention on CNN. 
The publicity and his hubris were a potent combination, 
making Abednego feel invincible. 

In fact, tonight he has brazenly reentered Refrigerators R 
Us without his customary caution. After dialing into a guest 
account on an ISP, he telnetted directly to adagency.com to 
gain faster access to fantasia’s back door. 
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VICTIM. 


tain Abednego’s identity from the company’s phone logs. 
With enough evidence in hand, including the Macintosh’s 


ACK > high-quality EtherPeek logs, the U.S. Attorney’s office ap- 
384, 00] proves a search warrant. 
e—— Soon after, FBI agents raid Abednego’s apartment and 
Connection, confiscate his PC. The hard disk of the computer will reveal 
establish all. Abednego had taken the precaution of erasing incrimi- 


nating files from his PC after each night’s escapade. He is 
chagrined to learn that the FBI can extract that information 
from his hard drive even after it had been erased and over- 
written several times. Soon a laboratory has recovered de- 
tails of his past trespasses, including the time he romped 
through the computer system at a major banking institu- 
tion in the Northeast. 

The megabytes of incriminating data provide the smok- 


Bic 3 TRUSTED COMPUTER ing gun necessary to indict Abednego on multiple counts 
= of computer fraud. Unfortunately for him, the trial judge 
bs sues an ACK message with the correct predicted sequence num- —_ssigned to his case is known for her tough stance on cyber- 
oe ber, thus establishing a connection between his computer and the time. Taking his attorney's advice, Abednego wisely accepts 
ae victim (right). The hacker can then transmit information that the 4 Plea bargain even though, like many hackers who have 
“| victim will assume is benign because of the mistaken belief that it | Ctossed the line, he insists that his activities—which, for Re- 
# is coming from the trusted host computer. frigerators R Us alone, resulted in thousands of dollars in 
# damages—were just playful pranks. Abednego is currently 
¥ : ' serving a two-year sentence in a federal prison. sal 
5 From admin.refrigerus.com, Abednego is lured to the jail 


by T-sight. He can hardly control his excitement as he be- 
gins sifting through what he believes are sensitive financial 
records. 

Dogberry, too, is busy. Quickly analyzing data from T- 
sight, he obtains Abednego’s root password on fantasia— 
DiEdOgB—and is able to trace the intruder back to adagency. 
com, Dogberry calls the pager of the system administrator 
there. She has already left work, but she phones Dogberry 
from a restaurant to help him continue tracking Abednego. 
q So while Abednego is retrieving a huge file containing 
bogus credit-card numbers, Dogberry installs a sniffer on 
adagency.com. He is even able to sneak unnoticed into 
Abednego’s account on that computer by typing DiEdOgB, 
because Abednego has lazily used the same password for all 
his root kits. Then, just minutes before Abednego finishes 
his download and logs off, Dogberry succeeds in tracking 
ta the trail of the plundered credit-card file back to Abedne- 
go’s dial-up account at the ISP. ‘ 

The information Dogberry has obtained is enough to 
bring in the FBI, which contacts the ISP the next day to ob- 
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ea He 
FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 10/22 £93 


Source, who is not in a position to testify, provided 
the following information: 


- On October 13, 1998 Federal Bureau of Investigation 
(FBI) Special Agent (SA)[L_—“‘CS™COC‘#di XN@Ce@-ived information b6 
from Source (via electronic mail) regarding the recent computer b7C 
hack of the New York Times web page. Source advised that b7D 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to-your agency; 
re not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 10/21/98 


Source, who is not in a position to testify, provided 
the following information: 


On October 11, 1998 Federal Bureau of Investigation 
(FBI) Special Agent (SA) received a series of 
electronic mail (e-mail) messages from Source regarding the 
recent computer hack of the New York Times web page. These 
messages ‘indicate 


The information 


10/11/98 


(telephonically) 


Investigation on 


File # Date dictated 10/21/98 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 11/2/98 


On October 22, 1998 Federal Bureau of Investigation 


(FBI) Special Agent (SA) received an b6 
electronic mail (e-mail) message from bic 
PROTECT IDENTITY regardin b7D 
b7E 
The reply e-mail message from 
read as follows: 
KEE REREEEKREES 
b6 
b7C 
b7D 
Investigation on 10/22/98 at | | (telephonically) _ 
File # Date dictated 11/2/98 —— a 
b7C 
2 -— b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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Continuation of FD-302 of | (PROTECT IDENTITY) ,On 10 / 22 / 98 »Page 4, 


KREKEKREKERRKEKRKRERERRKRERERRERRERERERERRERREERERRREREREKRRREEEEREEERRE SE 


advised that he currently works as b6 
b7c 
b7D 


area. 


Sow 8 & 


FD-302a (Rev. 10-6-95) 


—— bs 


Continuation of FED-3020f —L______—————_'| (PROTECT IDENTITY) on 10/22/98 ‘page 5 BG 


provided sal with his pager number| _| b7D 
and advised that he uses an internet service provider 


by the name of 


b3 
b6 
b7C 
b7E 


Sep~30-98 14:10 
‘‘ A fa PD-20P (Rev. 12-5-96) a 
INVESTIGATIVE INFORMATION REQUEST FORM 
FBI, Butte Information Technology Center 
400 North Main Sureez, Room 2115 
Beute, Montens 59701 
>» 


Commercial 406) 782-2304 
» FITS: (406) eri Tego (05) (405) i caeae TK2-9507 & 7R2-7418 
» Secers FAX & STU IE (406) 782-2304, Ext. 26 


TO: Fai, TION TRCHNOLOGY CENTER 

poster Som pe ee 

¥ : of Request: Vf FAX ( Teleal C} Mail Respet 

SLA pea BVA -Bt-FB ay 9 RABY WED 

Office RA: Mernawwn New \Vio{_ 7/57 precetence: ROUTINE OC noeDU 

SEARCH additional sheets if mecestary) 

Name - Last: First: j sail a | 
Alias: aa M_ post: DOB2: fn 
ssani| Ss SAND: > «Spouse: 

Acad C) Yes O No Dees awe State: 


He. Descrrnine Who Resides at Address Lisand Above 052(-) 
9. Determine Financial Background Info, i.e.. Bankruptcy, Judgments, Liens, UCC filings, or Lawsuits 
4:10. Deterraine Corporate Business Info, i.e... Officer, Director, Registered Agent 

(Person/Business) 


Ol. Customns Border Crossings / Subject query / 1-94 info (circle one) 
gi Federal Prison Inmets aforraation 


13. Telemarketing Complaiars 


Reply Fram: FBI, Butte information Technology Center (BITC) 
Reusa gered 


Besed om search criteria, masked records arc atuched: 
Foseaie : D Briat Syaopeis of information Found 
C No Information Fousd 


(12/31/1995) ‘a @ 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 11/04/1998 


To: New York attn: sal] 
From: [___] 


Security Squad 


Approved By: [ 


Drafted By: 

Case ID #: (Pending 
Title: HACKERS FOR GIRLIES (HFG), ET AL; 
NEW YORK TIMES - VICTIM; 

CITA - INTRUSION; 


Synopsis: Information received regarding web page computer 
intrusion. 


Enclosures: 1) Two copies of FD-302 (Source) dated 
10/21/98; 2) Two copies of FD-302 (Source) d 
10/22/98; 3) Original and one copy of #302 |] 
dated 11/2/98. 


Details: Enclosed for New York are the above FD-302s regarding 
information received about the above investigation. While the 


documents are self-explanator estions may be directed to 
sab at theP 


b3 
b6 
b7Cc 
b7D 
b7E 


b6 
b7C 
b7D 


FD-302 (Rev. 10-6-95) 


a 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 0/2 8 


SOURCE who is not ina position to testify, provided 
the following information: 


SOURCE advised that] b6 
ee b7c 
b7D 


SOURCE also advised that] ss 


b6 
: b7C 
b7E 


Investigation on 10/26/98 _at Manhattan, New York (celephonically) 


ro 


File # i: Date dictated 10/26/98 b3 


al b6 
by SA a 
b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 


26 Federal Plaza 
File No. 


New York, New York 10278 
October 14, 1998 


The purpose of this letter is to request_system, backup 
and log information for Internet Protocol cs a 


using the Domain Name during the period of August 
15, 1998 through September 15, 1998. In particular, any and all 
information relating to telnet and ftp logs and files is 
requested. Thank you for your assistance in this matter. 


Sincerely, 


Victor M. Gonzalez 
Special Agent in Charge, 
Criminal Division 


VUreter MA. aaa 12 


By: 


Supervisory Special Agent 


b6 
b7C 


b6 
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¥ 4 FD-809 (Rev. 12-5-96) ® 


INVESTIGATIVE INFORMATION REQUEST FORM ITC Use Only: _ BITC Record #: es 


: Date/Time In: Oo L fen O am O pm 
FBI, Butte Information Technology Center Date/Time Out: lr —~_OamO pm 


400 North Main Street, Room #115 Database(s) Used: y) 
Butte, Montana 59701 . TW. 5. 3 
> Commercial Telephone (406) 782-2304 y 2. EF 6. fe 
> FTS: (406) 782-2304 FAX: (406) 782-9504,782-9507 & 782-7418 if ; 
andled By: 


> Secure FAX & STU III: (406) 782-2304, Ext. 26 


TO: FBI, BUTTE INFORMATION TECHNOLOGY CENTER 
Date: |O LS 


3: 
4, 
H 


Forfeitu i 7 Type of Request: O FAX O Telcal 0 Mail Response: (J Telcal_C] Mail 
Requestor Phone Ho [A384 3 iQ Trax #: uC 

(Requester Nor is Required) e #) 1s Require 
Office/RA: Pa ae Precedence: O] ROUTINE (© IMMEDIATE 


(Emergency/Crisis Situatie 
SEARCH CRITERIA (Attach additional sheets if necessary) 
Name - Last: First: Middle: 
Alias: Sex: ~-DOB1: [ l DOB2: / 
SSAN fs ssana: - - Spouse: 
Fugitive: [1 Yes O No -Driver’s License #: State: 
RESIDENCE 
Street Address: City/State: Zip: Phone: 
BUSINESS 
Business Name: Street Address: 

ig City/State: Zip: Phone: Business ID#: 

. CHECK DESIRED SEARCH PARAMETERS (Please check only those that are needed) 
C1 1. Specific Information Desired 


Determine All Individuals Associated with Social Security Number(s) 
BS. Report Validity of Social Security Number 

C] 4, Determine Who is Associated with Telephone Number(s) 
[S. Determine Address of Business/Person ( U.S. 
C] 6. Determine Property Owned by Individual ( U.S. 
Ci 7. Determine Who Owns Property Listed Above 
C] 8. Determine Who Resides at Address Listed Above 
C} 9. Determine Financial Background Info, i.e., Bankruptcy, Judgments, ian: UCC filings, or Lawsuits 
C1 10. Determine Corporate Business Info, i.e., Officer, Director, Registered Agent 


State(s)) 
State(s)) 


i : ed 


rr Fe 


(Person/Business) 
C] 11. Customs Border Crossings / Subject query / 1-94 info (circle one) 
C1 12. Federal Prison Inmate Information 
[ 13. Telemarketing Complaints 


Reply From: FBI, Butte Information Technology Center (BITC) 


Return Reply To: 
SAC, 


b6 
b7C 


Based on search criteria, marked records are attached: 
bssible Identifiable Records C] Brief Synopsis of Information Found 
her Peripheral Information O No Information Found 


, * @ @ 


REPLY FORM - INVESTIGATIVE INFORMATION SERVICES 


To help us better serve your investigative needs, please complete 
and return to: 


FBI, Butte Information Technology Center 
400 Main Street, Room #115 
Butte, Montana 59701 


BUTTE ITC RECORD #: 182963 UCFN : 
ANALYST : SUBJECT: 


Was the information provided helpful to your investigation? O YES O NO 
If NO, please let us know how we could be more helpful to your 
investigation: 


ACCOMPLISHMENT (S) resulting from information: 
PERSON(S): (Enter total number applicable to each of the following) 


FBI Fugitive(s) Arrested: C] FBI O Local Date 
(Forward photo of Fugitive arrested with this Reply form) 
Local Fugitive(s) Arrested: UO FBI Ol Local Date 
(Forward photo of Fugitive arrested with this Reply form) 
Subject (s) fT] Arrested O Located OJ Identified 
(Forward photo of Subject arrested with this Reply form) 
Witness(es) O Located [1] Identified 
New Witness(es) OF Located O Identified 
BUSINESS (BS): (Enter total number applicable to each of the following) 
New Business(es) Identified 
New Business Associates/Associations Identified 
Financial Audit Trail(s) Enhanced 
ASSET(S): (Enter total number applicable to each of the following) 
(TYPES: C = CASH R = REAL PROPERTY P = PERSONAL PROPERTY) 
Asset(s) OF Located OF Identified [VALUE: TYPE: 
Asset (s) Subject to Seizure/Forfeiture [VALUE: TYPE: 
Potential Economic Loss Prevented [VALUE: TYPE: 
OTHER: (Enter total number applicable to each of the following) 
New Case(s) Initiated New Lead(s) Generated 
COMMENTS : 


1 - Case File 
1 - BITC 


Mt Ne mee ate we b7E 


Nov-05-98 8 OOS: 50 


2 = givnnidiate aig 


FBI, Butte Information Technology Caster 


> Cocomercia!  Tlpicnn (00 406) 782-2304 
» FTS: (406) FAX: (406) 782-9504, 782-9507 & 782-7418 
» Secure FAX & STU I: (06) 782-2366, Exi. 26 


TO: FRI, BUTTE INFORMATION TECHNOLOGY CENTER 


Dete: __|]-5-4§ 
Forfciture/Seizure Related: (1) Type of Request: SAFAX  Teical O Mail Response: Mi Teieal O MDUE 
Requestor: vrone #; 212 - 284-3097 vay g, 212-St4-4G60 cen 

ig Roguired) 
omeema: “New vate Rreeedemce: ROUTINE CO DMMEDIATS 


(Emesgency/Crisis ) 


SEARCH sheets if necessary) 

a aaa =o a 

Alias: Sex: M_ posi: f DOB2: a 
SSANI:_. se - SSAN2: se Sprouse: 


Fugitive: 0) Yes TENo Driver's License #2 State: 


RESIDENCE | ; 
Street Address: ciysue| Zip] | Phone: . 


ie 


BUSINESS 


Business Name a ae 

ne ee ent EE ae ed Business ID#: _____. 
CHECK DESIRED SEANOH F PARAMETERS Peas a Cec oly Ta Ua ae nested 
(0 1. Specific Information Desired _ Sotial Sécwitty + 


” Determine Fi inancial Background Info, i.e., Bankruptcy, Judgments, Liens, UCC filings, or Lawsuits | 
10. Determine Corporase Business Info, i.e., Officer, Director, Registered Agent 
(Person/Busir. 


Reply Frem: FBI, Butte Information Technology Center (BITC) 


Bésod om search cxitecia, marked records are attached: 
C) Possible Wentifishle Records. Seat a yeopet <1 etormaion Foune 
Ja-Orher Pesiphera} Informacion C No information Fouad 


NOV 4 3 1998 


‘ 


‘Nov~o2-98 12:02 
PDU0P (Rev. 12-5-96) 
INVESTIGATIVE INFORMATION REQUEST FORM 
2 FBI, Butte Information Technology Ccater 
400 North Main Seren, Room #115 
heresies ooh 


> FTS: (406) PP (a0G) TRI thos PAK: 000) Tae (406) eee ao 782-7418 
» Secure FAX & STU HI: (406) 782-2304, Ext 


Le BOTTE INFORMATION TRCHNOLOGY CENTER 


Fortcitere/Saicare Related: ‘Type of Request: 0 FAX 0 Teical 0 Madi Response: C) Teleal SX Mit 
Requester: Paese f; 212-384-3187 vax #: 202 364-4660 vere a 

Office RA: wi Precedeace: {ROUTINE 0 INMEDAT —— 

SEARCH eddiioaal hens i necessary) aa 
Name - Last: Piss:: Middle: 


Alias: 
et 


El 2. Determine AH Indivicmels Associated with Social Securicy Number(s) 
© 3. Report Validity of Social Security Number 
El 4. Dememine Who is Associned with Telephone Number(s) 


9. Determine Financial Background Info, i.¢., Bankraytcy, Judgments, Liens, UCC filings, or Lawsuits 
10. Determine Cosporate Business Info, i.e., Officer, Director, Registered Agent 
(Person/Business) 


1. Customs Border Crossings / Subject query / 1-94 info een. 
2. Federal Prison Iomets Informuation 
3. Telemacketing Comptaiass Seta. 


| edi condi med 


Reply From: FBI, Butte Information Technology Center (BITC) 


Rezurs Reply To: 
SAC, 


teed on serch crimtis, marked records arc attached: 
Sentilles Records © Brief Synopcis of Information Found 
Odber Paripheral Informacion Ci No Information Fouad 


tor — NeW YOR 


a 


det-23-98 16:49 / 


Sd 


at 


FOB (Ber, 12-5320) 
INVESTIGATIVE INFORMATION REQUEST FORM 


FBI, Butte lnferseation Techaology Center 
400 Nonk Mala Sweet, Room #115 
Baur, Moxtemea 59701 


» Commercial 406) TE21306 
» FTS: (406) Tamgens (00 (406) 7&2-3304, rages & 782-7418 
> Secure FAX & STU Yi: (406) 782-2308, Ext 


TO: FRI, BUTTE INFORMATION TECHNOLOGY CENTER 


ihe i Oa C pe 
2 Olay Koln O am Oem 


Dese: ___i0- 93-48 
Fortelture/Seizure Related: (Type of Request: Sf FAX OI Teical O Mall Responec: O) Teleal $i Mail 


vaene & AIA- KY -31GF wax a: PB 3S4- 660 UCEN: 


Requester: Sf 


Ji. 2. Desermine All Individuals Associzted with Social Security Number(s) ; 
i. Report Validity of Social Secarity Numbor i a 
CO 4. Determines Who is Astociond with Telephone Number(s) Be, 


9, Determine Financial Backgroend Info, i.e., Bankruptcy, Judgments, Liens, UCC filings, or Lawsuits . 
10. Determine Corporate Business Info, i.e.. "Officer, Director, Regiseced Agent 
(Person/Basiness) 


0 11. Customs Border Crossings / Subject query / 1-54 info (circle one) 
12. Federal Prison Ensnese Information 
C] 23. Telemarketing Complaiat: 


ze Deterraine Who Resides at Address Lissed Above 


Maply Fre: FBI, Butte information Technology Center (BITC) 


Remrn Reply, To: ; 
; Amativa: 
Se een enien ee es 
Possibde Wenritsbis Recovis O Geis? Synopeh of Inforsmion Found 


© Ocher Peripheral Indormarion O No Information Found 
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= ab. 
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» Federal Bureau of Investigation 
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FBI, Butte Information Technology Center 
INVESTIGATIVE INFORMATION SERVICES 
400 N. Main St., Room 115 
Butte, MT 59701 
Telephone: (406) 782-2304 
FAX: (406) 782- - 782-7418 
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